The Certification and Accreditation Process Handbook for Certifiers establishes a standard approach for performing C&A by providing guidance on the C&A activities and the associated level of effort required based on assurance requirements and other tailoring factors related to the system. Assurance is defined as a measure of confidence that the security features, attributes, and functions enforce the security policy. Assurance can be established for operations (enterprises), systems, operational environments, and components or mechanisms. Assurance refers to the claims and evidence for believing the correctness, effectiveness, and workmanship of the security service or mechanism. Certification verifies and validates the security assurance for a system associated with an environment. Accreditation evaluates whether the operational impacts associated with any residual system weaknesses are tolerable or unacceptable. Life-cycle assurance requirements provide a framework for secure system design, implementation, and maintenance.
National Institute of Standards and Technology, NCSC-TG-031